Closed Bug 1572904 Opened 6 years ago Closed 6 years ago

crash near null in [@ mozilla::dom::SVGElement::FlushAnimations]

Categories

(Core :: SVG, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html

Reduced with m-c:
BuildID=20190809095611
SourceStamp=36c3240e5cafd7b57146bab3b177bfa47f42bcfa

The attached test case requires a fuzzing build with the "fuzzing.enabled=true" pref set.

==125952==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f13e531e11f bp 0x7ffd48d5d870 sp 0x7ffd48d5d860 T0)
==125952==The signal is caused by a READ memory access.
==125952==Hint: address points to the zero page.
    #0 0x7f13e531e11e in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1505:12
    #1 0x7f13e531e11e in IsInComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:630
    #2 0x7f13e531e11e in GetComposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:640
    #3 0x7f13e531e11e in mozilla::dom::SVGElement::FlushAnimations() /builds/worker/workspace/build/src/dom/svg/SVGElement.cpp:2367
    #4 0x7f13e539ee0d in mozilla::dom::SVGRect::X() /builds/worker/workspace/build/src/dom/svg/SVGRect.cpp:50:55
    #5 0x7f13e2270d51 in mozilla::dom::SVGRect_Binding::get_x(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGRect*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/SVGRectBinding.cpp:32:37
    #6 0x7f13e37506e4 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3059:13
    #7 0x7f13ea2c3627 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #8 0x7f13ea2c3627 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #9 0x7f13ea2c8f50 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
    #10 0x7f13ea2c8f50 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610
    #11 0x7f13ea2c8f50 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:734
    #12 0x7f13ea7ce3bf in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2269:12
    #13 0x7f13ea7ce3bf in GetExistingProperty<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2321
    #14 0x7f13ea7ce3bf in NativeGetPropertyInline<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2570
    #15 0x7f13ea7ce3bf in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2607
    #16 0x7f13ea2d136d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:117:10
    #17 0x7f13ea2d136d in GetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:124
    #18 0x7f13ea2d136d in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4512
    #19 0x7f13ea2ac6c8 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:217:10
    #20 0x7f13ea2ac6c8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2770
    #21 0x7f13ea28db4f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #22 0x7f13ea2c412f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #23 0x7f13ea2c6352 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #24 0x7f13eadd0bf8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2659:10
    #25 0x7f13e2fb7854 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #26 0x7f13e3f1ef31 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #27 0x7f13e3f1ef31 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #28 0x7f13e3ee351c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1031:22
    #29 0x7f13e3ee4f60 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1223:17
    #30 0x7f13e3ecbbaa in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #31 0x7f13e3ecbbaa in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #32 0x7f13e3eca3c2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #33 0x7f13e3ecfd8b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #34 0x7f13df9b6e54 in nsHtml5SVGLoadDispatcher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5SVGLoadDispatcher.cpp:30:3
    #35 0x7f13dcddd111 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #36 0x7f13dce0f060 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #37 0x7f13dce15478 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #38 0x7f13de01e1bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #39 0x7f13ddf1b6e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #40 0x7f13ddf1b6e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #41 0x7f13ddf1b6e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #42 0x7f13e6118d09 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #43 0x7f13ea00b53f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #44 0x7f13ddf1b6e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #45 0x7f13ddf1b6e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #46 0x7f13ddf1b6e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #47 0x7f13ea00ade6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #48 0x55bd912cef13 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #49 0x55bd912cef13 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?

Looks like this may have been a regression from bug 1551030.

Seems like script can keep a reference to a cycle-collected SVGRect (so that mParent is null)... That looks bad.

Robert, any ideas?

Flags: needinfo?(longsonr)
Regressed by: 1551030

No idea. Feel free to back out that patch.

Flags: needinfo?(longsonr)

No need to backout, this should be reproducible and thus fixable. I'm happy to backout as a last resort though.

Flags: needinfo?(emilio)

Thanks Robert :)

Flags: needinfo?(emilio)
Attachment #9085824 - Attachment is obsolete: true
Pushed by longsonr@gmail.com: https://hg.mozilla.org/integration/autoland/rev/61a21b2c9e6e refactor cycle collection code after DOMSVGAngle r=emilio
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Assignee: nobody → longsonr
Crash Signature: [@ mozilla::dom::SVGElement::FlushAnimations]
Flags: in-testsuite? → in-testsuite+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: